Teahose.
SIGN IN
NEW HERE — WHAT TEAHOSE DOES
We read the entire AI & tech firehose — so you don't have to.
PODPodcastsAll-In, No Priors, Acquired…
NEWNewslettersStratechery, Newcomer…
PAPPapersPhysical AI research
PHProduct Huntdaily launches
VCInvestor ScoutSequoia, a16z, Benchmark…
CLAUDE DISTILLS →
7 reads, 30 sec each — free, 6 AM ET.
+ a live graph of the companies, people & themes underneath.
HOME/DATA DRIVEN VC/Compliance Is Where AI Co-Pilots…
NEWS
// NEWSLETTER ISSUE
DATA DRIVEN VC

Compliance Is Where AI Co-Pilots Go To Die

DATE June 19, 2026SOURCE DATA DRIVEN VCPARTICIPANTS ANDRE RETTERATH
AI SafetyAI InfrastructureEnterprise SaaSCompetitive StrategyTalent & Hiring
// SUMMARY

1. Key Themes

Theme 1: The AI Adoption Gap in VC Is a Compliance Problem, Not a Technology Problem

The barrier to firm-wide AI rollout isn't the quality of the tools — it's the organizational and legal friction that prevents deployment beyond individual experimentation.

"The gap between a curious associate running prompts on a personal account and a firm where AI is wired into deal flow is not a technology gap. It is a compliance gap."

"Roughly half the industry is experimenting, while only a low single-digit percentage has rolled AI out at full scale. The tools are ready. The firms are not."

Theme 2: Shadow AI Is the Biggest Unacknowledged Risk in Investment Firms

Before firms can debate whether to adopt AI, they need to reckon with the fact that ungoverned AI use is already happening — and that reality is the most persuasive argument for a governed rollout.

"People are already pasting deal decks, LP correspondence and diligence notes into whatever app is open on their phone, with no logging and no data controls."

"The biggest AI risk in most firms today is those ungoverned tools the team already uses several times a day on personal accounts."

"Once compliance sees that, the conversation moves from whether to allow AI to how quickly you can replace the ungoverned version with a governed one."

Theme 3: MCP (Model Context Protocol) as the Governed Integration Layer

The open standard MCP is emerging as the key technical architecture that lets AI models access firm data without ad hoc copy-pasting — and critically, it gives compliance teams more explicit control than the alternatives.

"MCP is the open standard that lets a model reach into your CRM, your data room or your drive without anyone copy-pasting anything. You decide which connectors are live, which permissions they carry, and you start read-only."

"Compliance tends to like this, because access becomes explicit and scoped. Compare it with the alternative, an associate emailing a deck into a chatbot, where you control nothing and log nothing."

Theme 4: Compliance-First AI Adoption Creates Durable Competitive Moats

Solving the compliance problem is not just risk management — it's what gives firms permission to point AI at their most proprietary and valuable data, which is where the actual edge lies.

"The funds that solve the compliance unlock now get to put AI next to their most valuable data: proprietary deal flow, portfolio signal, internal knowledge. That is exactly where the edge is."

"The constraint is organizational, and organizational constraints compound."

"Solve it once, deliberately, and you graduate from running pilots to actually running on AI."

Theme 5: AI "Skills" as Auditable, Version-Controlled Firm Procedures

Encoding repeatable workflows into AI skills reframes AI outputs as compliance-approved procedures — making them more governable than the manual workflows they replace.

"Skills package your firm's repeatable workflows, your diligence checklists, your memo formats, your scoring rubrics, into reusable, version-controlled instructions."

"A reviewed skill means the AI is following a procedure your compliance team signed off on, one they can produce on demand. For a regulated firm, that is the whole game, and it's even better than in the previous all-manual world, where workflows were unknowns."

2. Contrarian Perspectives

Perspective 1: Compliance is not the enemy of AI adoption — it's the permission slip

The conventional framing treats legal and compliance teams as obstacles to AI deployment. Retterath argues the opposite: getting compliance onside early is what unlocks access to the highest-value data.

"Done well, compliance is the permission slip that lets you point these tools at the data that matters."

The evidence: firms that bring legal to the table from week one move faster, not slower, because they avoid the rework and rollbacks that come from deploying without approval.

"The fastest rollouts I have seen had legal at the table from the start."

Perspective 2: AI governance structures are actually more auditable than the manual status quo

Most compliance teams assume AI introduces new opacity. The article argues that AI workflows — when built correctly with skills and MCP — are more auditable and inspectable than existing manual processes, which have no equivalent paper trail.

"A skill is a document. It can be read, redlined, approved and audited like any other internal policy... it's even better than in the previous all-manual world, where workflows were unknowns."

This inverts the typical risk calculus: the status quo (unlogged manual workflows) is less defensible than a governed AI deployment.

Perspective 3: Starting with a phased, "boring data first" approach is strategically necessary, not just cautious

It might seem like limiting AI to public filings and internal research notes in Phase 1 is excessively conservative. But Retterath frames it as deliberately building the organizational track record needed to earn access to sensitive data in later phases.

"The point of phase one is the paper trail. You are building organizational muscle and a record of safe usage that earns the right to move to phase two."

This is a non-obvious operating insight: AI rollout is as much a trust-building exercise with your own institution as it is a technical deployment.

3. Companies Identified

Vessel

  • Description: Agentic fund operations platform for VC and PE firms; newsletter sponsor
  • Why mentioned: Positioned as the solution to fragmented data, enabling AI agents to operate on a unified data foundation
  • Quote: "Fragmented data doesn't scale. Neither does the team managing it. The firms that move fastest have one thing in common: a unified data foundation their agents can actually use."

Anthropic (Claude / Claude Code)

  • Description: AI company behind the Claude large language model and Claude Code coding agent
  • Why mentioned: Named as one of the primary AI tools being experimented with in investment firms and a coding agent used for internal tooling
  • Quote: "Every fund I talk to has tried Claude or Codex." / "Coding agents like Codex or Claude Code enter the picture."

OpenAI (Codex)

  • Description: AI company behind the Codex coding agent
  • Why mentioned: Cited alongside Claude as one of the leading AI tools funds are experimenting with, particularly for building internal tooling, screening models, and data pipelines
  • Quote: "Every fund I talk to has tried Claude or Codex."

OpenClaw

  • Description: Workflow automation tool for investors
  • Why mentioned: Referenced in a prior newsletter episode as a case study for automating daily investor workflows (linked as "most read" content, not discussed in body)
  • Quote: "How Investors Use OpenClaw to Automate Daily Workflows" (article title referenced)

4. People Identified

Andre Retterath

  • Description: Author of Data Driven VC newsletter; investor and practitioner in data-driven investing
  • Why mentioned: Author and practitioner providing the playbook; draws on direct observation of firm AI rollouts
  • Quote: "The fastest rollouts I have seen had legal at the table from the start."

5. Operating Insights

Insight 1: Settle data governance before selecting tools — and mandate enterprise/API tiers with zero data retention

The single decision that resolves the majority of legal objections is ensuring all firm AI usage runs on governed infrastructure, not consumer apps. This should be done before any tool is selected.

"Deploy through an enterprise or API tier with zero data retention and a contractual guarantee that your inputs are not used to train the model. The consumer app is fine for personal curiosity. Regulated workflows belong on the governed tier. Add single sign-on, role-based access and admin-level logging on day one."

Insight 2: Name the compliance concerns explicitly and answer them in order

Vague, unnamed worry is what stalls AI projects inside firms. The playbook is to write the concerns down — data leakage, LP confidentiality, audit trails, vendor risk, access sprawl — and resolve them sequentially before rollout.

"Unnamed worry is what stalls these projects. Write the concerns down and each one turns out to have a clean answer... The rollout works when you answer them in order."

Insight 3: Assign one named owner with a real mandate — not a committee

Governance by committee is a deployment killer. Accountability must be singular to drive decisions and maintain momentum.

"One named owner with a real mandate. Deployments that belong to a committee tend to go nowhere."

6. Overlooked Insights

Insight 1: Coding agents (Claude Code, Codex) require a distinct risk framework from conversational AI

The article briefly but importantly distinguishes coding agents as a separate category with their own compliance considerations — specifically around repository access, secret/API key handling, and mandatory human review gates before code merges. This is largely absent from most AI governance conversations in financial services.

"Which repositories can the agent touch. How are secrets and API keys handled. Who reviews the code before it ships... A coding agent with read access to one sandboxed repo and a mandatory review gate carries a very different risk profile from one holding the keys to production."

Insight 2: The "human-in-the-loop" rule should be scoped specifically to external-facing and financial actions, not all AI outputs

Rather than a blanket "human reviews everything" policy (which creates bottlenecks and kills adoption), the article proposes a more surgical rule: human approval is required only when the output touches money or an external party.

"Human-in-the-loop on anything that touches money or an external party. The model drafts, a person sends."

This scoping is critical — it preserves efficiency on internal tasks while maintaining accountability on high-stakes outputs.